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[DESCRIPTION] 
[Invention Title] 

TWO-FACTOR AUTHENTICATED KEY EXCHANGE METHOD AND 
AUTHENTICATION METHOD USING THE SAME, AND RECORDING 
5 MEDIUM STORING PROGRAM INCLUDING THE SAME 
[Technical Field] 

The present invention relates to an AKE (authentication and key 
establishment) protocol. More specifically, the present invention relates to a 
TAKE (two-factor authenticated key exchange) method in services such as the 
10 Internet, wireless LANs, and public access wireless LANs, a security method for 
authenticating entity and establishing a key using the same, and a recording 
medium storing a program including the same. 
[Background Art] 

Conventional authentication and key establishment methods includes 
15 the TLS (transport layer security) method which uses certificates, the SRP 
(secure remote password) method and the EAP (extensible authentication 
protocol)-MD5 method which use passwords, and the PEAP (protected EAP) 
method and the EAP-TTLS (tunneled TLS) which use both certificates and 
passwords, and these methods respectively have advantages and 
20 disadvantages. That is, the TLS methods needs a PKI (public key infrastructure) 
which is complicated and spends a large cost, and a certificate management 
system, the SRP method requires a large amount of exponentiation from a user 
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terminal and is weak against 2-for-1 guess attacks. Also, the PEAP and EAP- 
TTLS methods are weak against the MitM (man-in-the-middle) attacks and have 
a great number of times on exchanged messages, and the EAP-MD5 has a 
disadvantage of providing no mutual authentication and session key. 
5 In particular, it is not easy to find an 802.1 x EAP authentication method 

which is secure and effective in the case of using PDAs (personal digital 
assistants) on the (public access) wireless LAN because the PDAs need a long 
time and consumes much power when performing complicated operations such 
as exponentiation and inverse element computation. 
10 General authentication factors include (1) a factor which a user 

memorizes (e.g., passwords) and (2) a factor which the user possesses (e.g., a 
token or a mobile device). 

A single-factor authentication method using the password of item (1) is 
not secure because of following problems. First, when the user inputs the 
15 password, another person behind the user may cheat it, and the password may 
be exposed through keystroke monitoring. Second, the password may be 
exposed to the attackers through social engineering such as tricks and threats. 
Third, the password is weak against dictionary attacks since it has a low entropy 
with respect to the amount of information. Fourth, the password may be 
20 exposed because of the user's bad habits such as writing the password on a 
paper or using it to many places without updating it. In particular, the public 
access wireless LAN service for attempting network accesses in the hot spot 
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area is more dangerous to the attacks because the attackers may acquire the 
passwords off line through the keystroke monitoring or social engineering even 
though the EAP-SRP, PEAP, and EAP-TTLS methods for authenticating the 
users through the passwords are secure protocols against the dictionary attacks. 

5 Further, the single-factor authentication method using the token or the 

mobile device requires a token and an input device (e.g., a card reader) for 
reading the token. The- token which is the second factor includes mobile devices 
such as a smart card, a USB (universal serial bus) key, and PDAs. Therefore, 
the usage of the USB key for the token in the radio environment requires not 

10 much cost since no further hardware is needed to be added. In this instance, the 
token is to be stored in a security module with a temper resistant characteristic 
since the token has secret information on a symmetric key or personal 
authentication. 

Accordingly, the Internet or the (public access) wireless LAN requires a 
15 better authentication system than the authentication executed by the above- 
noted authentication components, and in particular, the authentication methods 
for solving subsequent technical requirements are needed. 

(1) Identity protection: It is necessary to protect identities of clients from 
passive attacks such as wiretap for the purpose of privacy. In particular, the 

20 protection is useful for the user who receives an IP address through the DHCP 
(dynamic host configuration protocol). 

(2) Powerful mutual authentication: Mutual authentication between a 
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subscriber and a network is needed since the attackers can perform an MitM 
attack while they are located between the subscriber and an authentication 
server. 

(3) Session key establishment: A session key is to be established in 
5 order to protect data communicated between the subscriber and the network. 

(4) FS (forward secrecy): An FS which is a property of preventing the 
attackers from calculating past session keys from the previous wiretapped 
session when a long term secret keying material of an object which participates 
in a protocol is exposed, is to be provided. The FS is classified as a half FS and 

10 a full FS. The former one represents that the attacker cannot induce the past 
session key when a secret key of one of the objects which include the 
subscriber and the authentication server is exposed, and the latter one denotes 
that the session key is secure when the secret keys of the two objects are 
exposed. 

15 (5) Security on offline dictionary attacks: The protocol is to be designed 

such that the attacker may not obtain secret information shared by the 
subscriber and the server when the attacker attacks the offline dictionary to try 
to acquire the secret information. 

(6) Security on MitM attacks: The (public access) wireless LAN must be 
20 designed to be secure against the MitM attacks using the rouge AP (access 

point) or the rouge wireless NIC. 

(7) Security on replay attacks: It is needed to prevent the attackers from 
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retransmitting used messages and succeeding in authentication and key 
establishment. 

(8) Efficiency: 

- Minimize operation loads: It is needed to require a less amount of 
5 operation applicable to the PDAs in the (public access) wireless LAN. The load 

of online computation is to be minimized by using pre-computation. 

- Minimize the number of times on message exchanges: It is more 
advantageous as the number of communication rounds becomes lesser in 
consideration of efficiency of network resources and delay on the network. 

10 Therefore, the number of times on the messages to be exchanged between the 
subscriber and the authentication server is to be less. 

- Minimize the usage of communication bandwidths; Sizes of protocol 
messages are to be small. 

(9) Key confirmation: The legal user who participates in the protocol is to 
15 be confirmed that he shares a common secret session key with a desired peer. 

(10) Non-repudiation: A non-repudiation function for preventing the user 
from repudiating billing data such as a service used time and a number of times 
on network accesses. 

(Disclosure] 
20 [Technical Problem] 

It is an advantage of the present invention to provide a TAKE method for 
authenticating subscribers by using keys stored in the password and token 
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which are two independent authentication factors, an authentication method 
using the same, and a recording medium storing a program including the same. 
[Technical Solution] 

In one aspect of the present invention, in a key exchange method for 
5 mutual authentication at a subscriber station accessed to an authentication 
server through a wired/wireless communication, a two-factor authenticated key 
exchange method comprises: (a) the subscriber station transmitting a key to the 
authentication server, the key being generated using an identifier of the 
subscriber station and a public key of the authentication server; (b) the 
10 subscriber station receiving a random number generated by the authentication 
server; (c) using the received random number, a password predefined in the 
subscriber station, and a key stored in a token, and transmitting an encrypted 
first specific value and a generated authenticator of the subscriber to the 
authentication server; (d) the subscriber station receiving an authenticator of the 
15 authentication server according to an authentication success on the transmitted 
authenticator of the subscriber by the authentication server; and (e) the 
subscriber station using the secret key and the password, authenticating the 
received authenticator of the authentication server, and receiving the 
authenticator of the authentication server when the authentication is successful. 
20 The two-factor authenticated key exchange method further comprises: 

before (a), the subscriber station determining the symmetric key and the 
password used for a symmetric key algorithm and sharing the symmetric key 
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and the password with the authentication server during a registration process; 
and the subscriber station generating a random number and precomputing the 
first determined value when the subscriber station does not exchange a key for 
authentication with the authentication server. 

The subscriber station stores the password and the public key of the 
authentication server in the token. 

The generated key is generated by applying a one-way Hash function to 
an identifier of the subscriber station and the public key of the authentication 
server in (a). 

The (c) comprises: applying the Hash function to the received random 
number, the password, and the key stored in the token, and generating a 
second predetermined value; using the second predetermined value and 
encrypting the first predetermined value; using the random number and the first 
predetermined value, and generating the subscriber's session key; applying the 
Hash function to the generated session key, the password, the key stored in the 
token, and the identifier of the subscriber station, and generating the 
subscriber's authenticator; and transmitting the encrypted first predetermined 
value and the subscriber's authenticator to the authentication server. 

The (e) comprises: applying the Hash function to the subscriber's 
session key, the password, the key stored in the token, and the public key of the 
authentication server, and generating a third predetermined value; determining 
whether the generated third predetermined value corresponds to the 

7 
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authenticates of the authentication server received from the authentication 
server; and determining that the authentication between the subscriber station 
and the authentication server is successful and receiving the authenticator of 
the authentication server when the generated third predetermined value is found 
5 to correspond to the authenticator of the authentication server. 

In another aspect of the present invention, in a method for an 
authentication server accessed to a subscriber station for wired/wireless 
communication to exchange a key for mutual authentication, a two-factor 
authenticated key exchange method comprises: (a) the authentication server 
10 receiving a key which is generated by the subscriber station by using an 
identifier and a public key of the authentication server; (b) the authentication 
server using the value received from the subscriber station, detecting the 
subscriber's password, the key stored in a token, and a public key of the 
authentication server, generating a random number, and transmitting the 
15 random number to the subscriber station; (c) the authentication server receiving 
an encrypted value generated by the subscriber station and the subscriber's 
authenticator based on the transmitted random number; (d) the authentication 
server establishing a first predetermined value generated by using the password, 
the key stored in the token, and the random number to be a secret key, 
20 decrypting the encrypted value received in (c) to generate a second 
predetermined value, authenticating the received authenticator of the subscriber 
based on the second predetermined value, and receiving the subscribers 
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authenticator when the authentication is successful; and (e) the authentication 
server using the password, the key stored in the token, and the public key, and 
transmitting the authenticator of the authentication server to the subscriber 
station. 

5 The two-factor authenticated key exchange method further comprises: 

before (a), the authentication server determining the symmetric key and the 
password used for a symmetric key cryptosystem and sharing the symmetric 
key and the password with the subscriber station during a registration process. 

The authentication server stores the key stored in the token, the 

10 password, and the secret key of the authentication server in a security file 
database. 

The (d) comprises: applying the Hash function to the password, the key 
stored in the token, and the random number, and generating the first 
predetermined value; establishing the generated first predetermined value to be 

15 a secret key, decrypting the received encrypted value, and generating the 
second predetermined value; using the generated second predetermined value, 
the public key of the authentication server, and the random number, and 
generating a session key of the authentication server; determining whether the 
value obtained by applying the Hash function to the generated session key, the 

20 password, the key stored in the token, and an identifier of the subscriber station 
corresponds to the received authenticator of the subscriber; and determining 
that the authentication for the subscriber is found to be successful and receiving 
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the authenticates of the subscriber when the value corresponds to the received 
authenticator of the subscriber. 

The session key of the authentication server is used to generate the 
authenticator of the authentication server in (e). 
5 The subscriber station transmits a user name, a hashed value of the 

public key of the authentication server, and a domain name to the authentication 
server when the identifier of the subscriber station uses the NAI (network 
access ID) format in order to support global roaming and billing in (a). 

In still another aspect of the present invention, in a mutual authentication 
10 method through a two-factor authenticated key exchange between a subscriber 
station and an authentication server in a wireless communication system in 
which the subscriber station and the authentication server are accessed through 
an access point, an authentication method through a two-factor authenticated 
key exchange comprises: (a) the subscriber station receiving an identifier 
15 request from the access point; (b) the subscriber station transmitting a key 
which is generated by using an identifier of the subscriber station and a public 
key of the authentication server to the authentication server through the access 
point; (c) the authentication server using the key received from the subscriber 
station, detecting the subscriber's password, the secret key, and the public key 
20 of the authentication server, generating a random number, and transmitting the 
random number to the subscriber station through the access point; (d) the 
subscriber station using the received random number, the password, and the 
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key stored in the token, and transmitting an encrypted first predetermined value 
and the generated authenticator of the subscriber to the authentication server 
through the access point; (e) the authentication server establishing a second 
predetermined value generated by using the password, the key stored in the 
5 token, and the random number to be a secret key, decrypting the encrypted 
value received in (d), authenticating the received authenticator of the subscriber 
based on the decrypted value, and when the authentication is found successful, 
transmitting an authenticator of the authentication server generated by using the 
password, the key stored in the token, and the public key to the subscriber 
10 station through the access point; (f) the subscriber station using the key stored 
in the token and the password, authenticating the received authenticator of the 
authentication server, and transmitting an authentication result to the 
authentication server through the access point; and (g) the authentication server 
transmitting an access permission for the subscriber to the subscriber station 
15 through the access point when the authentication result transmitted from the 
subscriber station is found successful. 

The key stored in the token is a symmetric key. 

An extensible authentication protocol is used between the subscriber 
station and the access point, and a RADIUS protocol is used between the 
20 access point and the authentication server. 
[Description of Drawings] 

The accompanying drawings, which are incorporated in and constitute a 

11 
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part of the specification, illustrate an embodiment of the invention, and, together 
with the description, serve to explain the principles of the invention; 

FIG. 1 shows a flowchart of a TAKE protocol according to a preferred 
embodiment of the present invention; and 
5 FIG. 2 shows an authentication and key exchange flowchart in a public 

access wireless LAN using the TAKE protocol according to a preferred 
embodiment of the present invention. 
[Best Model 

In the following detailed description, only the preferred embodiment of 
10 the invention has been shown and described, simply by way of illustration of the 
best mode contemplated by the inventor(s) of carrying out the invention. As will 
be realized, the invention is capable of modification in various obvious respects, 
all without departing from the invention. Accordingly, the drawings and 
description are to be regarded as illustrative in nature, and not restrictive. To 
15 clarify the present invention, parts which are not described in the specification 
are omitted, and parts for which similar descriptions are provided have the same 
reference numerals. 

An authentication method using the TAKE protocol according to a 
preferred embodiment of the present invention will be described. 
20 FIG. 1 shows a flowchart of a TAKE protocol according to a preferred 

embodiment of the present invention. 

Symbols described in the preferred embodiment are defined below. 

12 
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A: subscriber (supplicant or client) 
B: authentication server 
tt: password 

t: symmetric key used for symmetric key encryption 
5 ID A : identifier of the subscriber A 

Ek{ } and Dk{ }: Encryption and decryption with symmetric key K 

H( ): One-way Hash function 

sk A : session key generated by A 

p: large prime number 
10 q: a large prime number for dividing (p-1) 

g: generator which is an element of Z* p with the order of q, and 

b, g b (mod p): static secret key and public key of authentication server B 

Referring to FIG. 1, an operation of the TAKE protocol according to the 
preferred embodiment of the present invention includes an enrollment stage, a 
15 precomputation stage, and a performance stage. 

The enrollment stage will now be described. 

A subscriber Client A which is substantially the client's mobile terminal 
and the server B determine the symmetric key t and the password tt used for 
the symmetric key cryptosystem such as the 3DES (data encryption standard) 
20 or the Rijndael, and share them. The server selects a number <b> within the 
range of the secret key [1 ~ q-1] of the server for a specific client, stores the 
number in a secure database DB, and notifies the client of the server's public 

13 
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key g b and domain parameters p, q, and g. The client stores the symmetric key 
in a token. The server's public key g b and domain parameters p, q, and g are not 
necessary to be stored in a secure place since they are public information. 
The precomputation stage will now be described. 
5 The precomputation stage is performed on line before the protocol is 

performed, and in detail, it reduces time and computation used during the 
performance of the protocol. 

The client's mobile terminal performs precomputation in the case of an 
idle time at which no mobile network is used or when the terminal is turned on. 
10 As shown in FIG. 1 , the client A selects a random number x within the range of 
[1 ~ q-1]. That is, the client selects the random number x^RZ q , and 
precomputes g x and g bx =c (mode p hereinafter) by using the random number x. 

The performance stage will now be described, which performs mutual 
object authentication and session key establishment as follows. 
15 (1) The client A transmits H(ID Af g b ) which is a hashed value of the 

client's identifier ID A and the authentication server's public key g b in order to 
access the Internet or the (public access) wireless LAN. 

When the client ID uses the NAI (network access ID) format in order, to 
support global roaming and billing, for example, when the client ID is given to be 
20 userid@realm.com, H(userid, g b ) which is a hashed value of the user name and 
g b , and the realm name are transmitted. 

(2) The authentication server B receives H(ID A , g b ) and detects <H(ID Af 

14 
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g b )>, <ID A >, <Tr>, <t>, and <b> from a client security file database DB. The 
authentication server B selects a random number r^ R Zq within the range of [1 ~ 
q-1], and transmits the number to the client A. 

(3) The client A receives the number r from the authentication server B, 
5 computes the hashed value of f=H(r, tt, t) by using the values of tt and t, 

computes e=Ef{g )( } by using the value of f as a symmetric key for performing 
symmetric key encryption on the value of g x , computes a session key of sk A =H(c, 
g x , r) which is a hashed value of c, g x , and r, and generates an authenticator of 
MA=H(sk A) tt, t, ID A ) which is a hashed value of tt, t, and ID A . The client A 
10 transmits the generated e and M A to the authentication server B. 

(4) The authentication server B receives e and M A from the client A, 
computes f=H(r, tt, t) by using r, tt, and t, decrypts the received e by using the 
computed secret key of f, and finds g x =Df{e}. 

The authentication server B computes c=g xb by using the found g x and b, 
15 computes sk B =H(c, g x , r) by using c and r, generates H(sk B , tt, t, ID A ), and 
checks whether H(ske, tt, t, ID A ) corresponds to the received M A . When the two 
values correspond to each other, the authentication on the client A is found 
successful, and the authentication server B receives the M A transmitted by the 
client A, computes MB=H(skB, tt, t, g b ), and transmits the computed Mb to the 
20 client A. 

(5) The client A checks whether Mb received from the authentication 
server B corresponds to H(sk B , tt, t, g b ) computed by the client A. When the two 
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values correspond to each other, the authentication on the authentication server 
B is found successful, and the client A receives Mb. When the client A and the 
authentication server B receive M A and Mb respectively, mutual authentication 
between the client A and the authentication server B is found successful. 
5 FIG. 2 shows an authentication and key exchange flowchart in a public 

access wireless LAN using the TAKE protocol according to a preferred 
embodiment of the present invention. 

Referring to FIG. 2, a subscriber (a supplicant or a client) 100 and an 
authentication server (or a RADIUS server) 300 are connected each other 
10 through an access point 200 such as a (public access) wireless LAN, and the 
subscriber 100 is authenticated by the authentication server 300. 

In this instance, an EAP (extensible authentication protocol) is used 
between the subscriber 100 and the access point 200, and a RADIUS protocol 
is used between the access point 200 and the authentication server 300. 
15 Also, the subscriber 100 stores a symmetric key t, a password tt, a 

public key g b of the authentication server 300, DH (Diffie-Hellman) domain 
parameters p, q, and g, and the authentication server 300 stores a server secret 
key b in addition to a symmetric key t, a password tt, a public key g b of the 
authentication server 300, DH (Diffie-Hellman) domain parameters p, q, and g. 
20 When the subscriber 100 requests an access service to the (public 

access) wireless LAN, the access point 200 transmits an EAP-request identity 
with identity 1 to the subscriber 100 in step S100. 
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The subscriber 100 transmits an EAP-response/identity H(ID A| g b ) which 
defines the hashed value H(ID At g b ) of the identifier I Da of the subscriber and 
the public key g b of the authentication server 300 as an identity to the access 
point 200 in step S110. 
5 The access point 200 transmits an radius-access-request H(ID A , g b ) on 

the authentication server 300 including the identity transmitted from the 
subscriber 100 in step S120. 

The authentication server 300 detects <ID A >, <tt>, <t>, and <b> from the 
corresponding database based on H(ID A , g b ) transmitted from the access point 
10 200, selects a random value re R Z q , and transmits the value as a radius-access- 
challenge value to the access point 200 in step S130, and the access point 200 
defines the value of r as TAKE subtype 1 , and transmits an EAP-request TAKE 
subtypel(r) to the subscriber 100 in step S140. 

The subscriber 100 receives the random value of r from the 
15 authentication server 300, computes the hashed value of f=H(r, tt, t) by using tt 
and t, computes e=Ef{g x } by using the value of f as a secret key for encrypting 
the symmetric key, computes a session key sk A =H(c, g x , r) which is a hashed 
value of c, g x , and r, generates an authenticator M A =H(sk Af tt, t, ID A ) which is a 
hashed value of it, t, and ID A , and transmits an EAP-response/TAKE subtypel 
20 (e, M A ) on e and M A in the TAKE subtypel to the access point 200 in step S150, 
and the access point 200 transmits a radius-access-request (e, M A ) including (e, 
M A ) transmitted from the subscriber 100 to the authentication server 300 in step 

17 
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S160. 

The authentication server 300 receives e and M A from the subscriber 
100, computes a hashed value of f=H(r, tt, t) by using r, tt and t, decrypts the 
received e with the computed secret key of f, finds g x =Df{e}, computes c=g xb by 
5 using the found g x and b, computes sk B =H(c, g x , r) by using c and r, generates 
H(sk B , tt, t, ID A ), and checks whether H(sk B , tt, t, I Da) corresponds to the 
received M A . When they correspond to each other, the authentication on the 
subscriber 100 is found successful, and the authentication server 300 receives 
M A from the subscriber 100, computes MB=H(sk Bl tt, t, g b ), and transmits M B as 
10 a radius-access-challenge(M B ) to the access point 200 in step S170. 

The access point 200 defines the M B transmitted from the authentication 
server 300 as a TAKE subtype2, and transmits an EAP-request TAKE 
subtype2(M B ) to the subscriber 100 in step S180. 

The subscriber 100 receives M B from the authentication server 300, and 
15 checks whether the M B corresponds to H(sk B , tt, t, g b ) computed by the 
subscriber 100. When they correspond to each other, the authentication on the 
authentication server 300 is found successful, and the subscriber 100 receives 
the M B . When the subscriber 100 and the authentication server 300 receive the 
Ma and the M B respectively, the mutual authentication between the subscriber 
20 1 00 and the authentication server 300 is found successful. 

The subscriber 100 transmits an EAP-response/TAKE subtype2 on the 
TAKE subtype2 which represents acknowledgment to the access point 200 in 

18 
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step S190, and the access point 200 transmits a radius-access-request 
including the message transmitted from the subscriber 100 to the authentication 
server 300 in step S200. 

When the authentication result transmitted from the subscriber through 
5 the access point 200 is successful, the authentication server 300 transmits a 
radius-access-accept message to the access point 200 in step S210, and the 
access point 200 transmits an EAP-success message to the subscriber 100 
according to the result in step S220, and transmits an EAPOL (EAP 
encapsulation over LAN protocol)-key message to the subscriber 100 in order to 
10 notify the subscriber 100 that the access is allowed in step S230. 

In this instance, the messages or packets transmitted between the 
subscriber 100 and the access point 200 include the EAPOL. 

It will now be described whether the TAKE protocol using authentication 
method satisfies technical conditions required for powerful authentication. 
15 Security analysis on the TAKE protocol using authentication method according 
to the preferred embodiment of the present invention is given below. 

(1) Identity protection: When receiving an ID request, the subscriber 
transmits H(ID A , g b ) instead of the subscribers I Da so that passive attackers 
such as wiretappers may not know the subscriber's identity. Here, the 

20 authentication server is to match the subscribers anonymity with the 
subscriber's real identity. 

(2) Powerful mutual authentication: The subscriber can lead an 

19 
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authenticator MA and acquire authentication when he knows the password tt, 
the secret key t, and the authentication server's public key g b . The 
authentication server can lean an MB and obtain network authentication when it 
knows the password tt, the secret key t, the subscriber ID A , and the server's 
5 secret key b. Thus, powerful mutual authentication is allowed. 

(3) Session key establishment: Session keys sk A and skB are generated 
to protect data between the subscriber and the authentication server. The 
generated session keys provide randomness and freshness which are caused 
by selection of dynamic numbers x and r of the respective objects. 
10 (4) FS (forward secrecy): When secret information <IDA>, <tt>, <t>, and 

<g b > possessed by the subscriber is exposed to the attacker, he can decrypt the 
e ciphertext to know g x , but it is difficult to compute the value of c=g xb because 
of the DLP (discrete logarithm problem). Further, when the secret key <b> of the 
server is exposed, the attacker must know the g x in order to compute the value 
15 of c=g xb , and must know <tt> and <t> in order to know g x . That is, the attacker 
can compute the session keys when he knows <b>, <tt>, and <t>. However, 
since the service providers are big companies and are deemed to have their 
own excellent security systems in the actual (public access) wireless LAN 
environment, the probability in which important secret information relating to 
20 security is revealed to the attackers seems very low. Therefore, the TAKE 
protocol is not a general half FS but a practical half FS in the (public access) 
wireless LAN. 
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(5) Offline dictionary attacks: The attackers may attempt attacking the 
offline dictionary in order to acquire secret information for successful 
authentication. The passwords with low entropy may be weak against the attack, 
but this kind of attack is substantially impossible since the secret key and the 
5 password with high entropy stored in the token are used as keys for encrypting 
the random value of g x in the TAKE. That is, the attacker must presume the 
password, the secret key, and the random value of g x . 

(6) Security on the MitM attacks: The attackers can be located between 
the subscriber and the server to perform the MitM attack, but this attack is very 

10 difficult to succeed since the TAKE uses the powerful two-factor authentication. 

(7) Security on the replay attacks: The replay attack represents an attack 
method for the attacker to retransmit the used message and reestablish the 
previous session key. The TAKE is secure against the replay attacks since the 
subscriber and the server respectively generate the random numbers x and r for 

15 each session to generate session keys. 

(8) Efficiency 

- Minimize operation loads: The DH (Diffie-Hellman) protocol is 
frequently used for the AKE protocol since it provides the FS, but it requires 
exponentiation computation and generates a large amount of computation. Most 
20 operation time is used for exponentiation, computation of inverse elements, and 
multiplication. In particular, the PDAs use much real-time authentication time 
when the amount of calculation is increased. Therefore, the TAKE method is 
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designed to allow the subscriber to use one symmetric key encryption and five 
hash functions on line, and perform exponentiation computation twice for the 
precomputation off line. The server needs amounts of computation on one 
exponentiation, one symmetric key decryption, and four hash functions. 

5 - Minimize the number of times on message exchanges: Since the TAKE 

has four passes, the number of messages to be exchanged between the 
subscriber and the authentication server is less. 

- Minimize the usage of communication bandwidths: Three of from 
among five messages represent an output bit number of Hash functions, one 

10 thereof is a bit number of a random number, and the last one thereof is an 
output bit number of the ciphertext of g x . 

(9) Key confirmation: The TAKE includes session keys in the 
authenticators MA and MB and performs key confirmation to thus check that the 
legal subscriber who participated in the protocol shares the common secret 

15 session key with the desired authentication server. 

(10) Non-repudiation: The TAKE does not use digital signatures but uses 
powerful two-factor authentication, and hence, it is prevented for deceitful users 
to use the service and deny the usage of service. 

The preferred embodiment of the present invention described above can 
20 be realized in a program, and stored into computer-readable recording media 
(CD-ROMs, RAMs, floppy disks, HDDs, and optical discs.) 

While this invention has been described in connection with what is 
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presently considered to be the most practical and preferred embodiment, it is to 
be understood that the invention is not limited to the disclosed embodiments, 
but, on the contrary, is intended to cover various modifications an equivalent 
arrangements included within the spirit and scope of the appended claims. 



23 



